No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


IPSEC VPN could build up tunnel, but ping failed from one-end to peer-end

Publication Date:  2012-09-11 Views:  555 Downloads:  0

Issue Description

 USG5100 as headquarters constitutes IPSEC VPN with usg2110 as branch, success to ping from branch-end to some address of internal network in headquarters. But if tunnel constituted, there is no way to ping from some address of internal network of headquarters to branch-end. The edition of USG is V100R005SPC300. 

Alarm Information


Handling Process

1、 there is no port quick forwarding issue because of the device is USG5100, and NAT hasn’t configured on device, no problems with other configuration.
2、 Ping from internal network of headquarters to internal network of branch-end, review sessions on USG device as below:
[USG5100]disp firewall session table
09:46:20 2011/09/10
Current Total Sessions : 9
esp VPN:public --> public>
tcp VPN:public --> public>
icmp VPN:public --> public[]-->
netbios-data VPN:public --> public[]-->  
Finding out that the session to peer-end was transformed by NAT, but NAT of outbound direction hasn’t been configured on USG5100, this address couldn’t access the external network neither.
3、 Finding out that address mapping has been done for this address by user after review configuration again.
nat server 0 protocol tcp global 3389 inside 3389
trying to add “no-reverse” after this configuration command, success to ping private network address of peer-end , it says that IPSEC data flow matches the reverse session of nat server.

Root Cause

1、 interface quick forwarding matters.
2、 NAT of outbound direction hasn’t rejected data flow interested in yet.
3、 Others.  


    Matching mapping entire ip addresses if some address has reverse session at outbound direction, not mapping to detail port exactly even configuring mapping based on port.